SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling

Mon, August 19 - Sat, August 24, 2019

The SEC504 content is up-to-date. The labs are awesome, and they work! Material is at the right level for a middle-level course.

Dan Eckstein, Nationwide

The emphasis on applied techniques in SEC504 is great. I learned things that will translate directly to my job.

Sarah Noles, ConAgra Foods

The Internet is full of powerful hacking tools and bad guys using them extensively. If your organization has an Internet connection or one or two disgruntled employees (and whose doesn't!), your computer systems will get attacked. From the five, ten, or even one hundred daily probes against your Internet infrastructure to the malicious insider slowly creeping through your most vital information assets, attackers are targeting your systems with increasing viciousness and stealth. As defenders, it is essential we understand these hacking tools and techniques.

This course enables you to turn the tables on computer attackers by helping you understand their tactics and strategies in detail, giving you hands-on experience in finding security vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan. It addresses the latest cutting-edge insidious attack vectors, the "oldie-but-goodie" attacks that are still prevalent, and everything in between. Instead of merely teaching a few hack attack tricks, the course provides a time-tested, step-by-step process for responding to computer incidents, and a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them. In addition, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence. Finally, students will participate in a hands-on workshop that focuses on scanning for, exploiting, and defending systems. The workshop will enable you to discover the holes in your system before the bad guys do!

This course is particularly well-suited to individuals who lead or are a part of an incident handling team. General security practitioners, system administrators, and security architects will benefit by understanding how to design, build, and operate their systems to prevent, detect, and respond to attacks.

You will learn:

How to best prepare for an eventual breach

The step-by-step approach used by many computer attackers

Proactive and reactive defenses for each stage of a computer attack

How to identify active attacks and compromises

The latest computer attack vectors and how you can stop them

How to properly contain attacks

How to ensure that attackers do not return

How to recover from computer attacks and restore systems for business

How to understand and use hacking tools and techniques

Strategies and tools for detecting each type of attack

Attacks and defenses for Windows, UNIX, switches, routers, and other systems

Application-level vulnerabilities, attacks, and defenses

How to develop an incident handling process and prepare a team for battle

Legal issues in incident handling

If you are unfamiliar with Linux, please view this short Intro to Linux video to help get you started.

Course Syllabus

Overview

Securing an infrastructure is a complex task of balancing business needs against security risks. With the discovery of new security vulnerabilities almost on a daily basis, there is always the potential for an intrusion. In addition to online intrusions, physical incidents like fires, floods, and crime all require a solid methodology for incident handling to be in place to get systems and services back online as quickly and securely as possible.

The first part of this course section looks at the invaluable Incident Handling Step-by-Step model, which was created through a consensus process involving experienced incident handlers from corporations, government agencies, and educational institutes and has been proven effective in hundreds of organizations. This section is designed to provide students with a complete introduction to the incident handling process, using the six steps (preparation, identification, containment, eradication, recovery, and lessons learned) one needs to follow to prepare for and deal with a computer incident.

The second part of this section examines from-the-trenches case studies to understand what does and does not work in identifying computer attackers. This section provides valuable information on the steps a systems administrator can take to improve the chances of catching and prosecuting attackers.

CPE/CMU Credits: 7

Topics

Preparation

Building an incident response kit

Identifying your core incident response team

Instrumentation of the site and system

Identification

Signs of an incident

First steps

Chain of custody

Detecting and reacting to insider threats

Containment

Documentation strategies: video and audio

Containment and quarantine

Pull the network cable, switch and site

Identifying and isolating the trust model

Eradication

Evaluating whether a backup is compromised

Total rebuild of the Operating System

Moving to a new architecture

Recovery

Who makes the determination to return to production?

Monitoring to system

Expect an increase in attacks

Special Actions for Responding to Different Types of Incidents

Espionage

Inappropriate use

Incident Record-keeping

Pre-built forms

Legal acceptability

Incident Follow-up

Lessons learned meeting

Changes in process for the future

SEC504.2: Computer and Network Hacker Exploits - Part 1

Overview

Seemingly innocuous data leaking from your network could provide the clue needed by an attacker to blow your systems wide open. This course section covers the details associated with reconnaissance and scanning, which are the first two phases of many computer attacks.

Your networks reveal an enormous amount of information to potential attackers. In addition to looking for information leakage and open-source intelligence (OSINT), attackers also conduct detailed scans of systems, scouring for openings to get through your defenses. To break into your network, they scope out targets of opportunity, such as weak DMZ systems and turnkey platforms, unsecured modems, or vulnerable Wi-Fi and proprietary wireless systems. Attackers are increasingly employing devious scanning techniques to target publicly accessible and internal systems, seeking opportunities to manipulate otherwise benign security policies designed to protect systems. Another very hot area in computer attacks involves detailed scanning and interrogation of Windows Active Directory domains, identifying and manipulating configuration policies to their significant advantage.

If you do not have the skills needed to understand these critical phases of an attack in detail, you will not be able to protect your network. Students who take this course and master the material will understand these attacks and the associated defenses.

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your organization's systems. You also need to advise your network and computer operations teams of your testing schedule.

SEC504.3: Computer and Network Hacker Exploits - Part 2

Overview

Computer attackers are ripping our networks and systems apart in novel ways, while constantly improving their techniques. This course section covers the third step of many hacker attacks: gaining access.

Attackers employ a variety of strategies to take over systems from the network level up to the application level. This section covers the attacks in depth, from the details of buffer overflow and common software flaw exploitation techniques to the latest in session hijacking of supposedly secure protocols. Additionally, you will get hands-on experience in running sniffers, exploiting common Windows networking vulnerabilities, using common tools for effective data shoveling, and bypassing host platform security endpoint tools.

Administrators need to get into the nitty-gritty of how the attacks and their associated defenses work if they want to effectively defend against these invasions. For each attack, the course explains the vulnerability, how various tools exploit it, the signature of the attack, and how to harden the system or application against the attack. Students who sign an ethics and release form are issued a USB drive containing the attack tools examined in class.

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your organization's system. You also need to advise your network and computer operations teams of your testing schedule.

Exercises

Hands-on Exercises with the Following Tools:

Manipulating DNS and Windows networking for credential harvesting

Using Netcat for transferring files, creating backdoors, and setting up relays

Metasploit, Metasploit, Metasploit lots of Metasploit

ARP and MAC analysis for ARP cache poisoning attack detection

CPE/CMU Credits: 6

Topics

Physical-layer Attacks

Clandestine exploitation of exposed USB ports

Simple network impersonation for credential recovery

Hijacking password libraries with cold boot recovery tools

Gathering and Parsing Packets

Active sniffing: ARP cache poisoning and DNS injection

Bettercap

Responder

LLMNR poisoning

WPAD attacks

DNS cache poisoning: Redirecting traffic on the Internet

Using and abusing Netcat, including backdoors and insidious relays

IP address spoofing variations

Encryption dodging and downgrade attacks

Operating System and Application-level Attacks

Buffer overflows in-depth

The Metasploit exploitation framework

AV and application whitelisting bypass techniques

Netcat: The Attacker's Best Friend

Transferring files, creating backdoors, and shoveling shell

Netcat relays to obscure the source of an attack

Replay attacks

Endpoint Security Bypass

How attackers use creative office document macro attacks

Detection bypass with Veil, Magic Unicorn

Putting PowerShell to work as an attack tool

AV evasion with Ghostwriting

Attack tool transfiguration with native binaries

SEC504.4: Computer and Network Hacker Exploits - Part 3

Overview

This course section starts out by covering one of the attackers' favorite techniques for compromising systems: password attacks. We will analyze multiple attack techniques applied against password storage and selection, including password guessing and spray attacks, password cracking, and modern password mask recovery techniques. Then the course turns to another vital area often exploited by attackers: web applications. Because most organizations' homegrown web applications do not get the security scrutiny of commercial software, attackers exploit these targets using SQL injection, cross-site scripting, session cloning, and a variety of other mechanisms discussed in detail.

The course also presents a taxonomy of bots and malware attacks, including modern-day cryptomining and cryptolocker attacks. We conclude the day with a look at nasty denial-of-service attacks, illustrating how attackers can stop services or exhaust resources, as well as what you need to do to prevent their nefarious deeds.

Once intruders have gained access into a system, they want to keep that access, preventing pesky system administrators and security personnel from detecting their presence. To fool you, attackers install backdoor tools and manipulate existing software on a system to maintain access to the machine on their own terms. To defend against these attacks, you need to understand how attackers alter systems to discover the sometimes-subtle hints associated with system compromise. This course arms you with the understanding and tools you need to defend against attackers' maintaining access and covering their tracks.

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your organization's system. You also need to advise your network and computer operations teams of your testing schedule.

SEC504.5: Computer and Network Hacker Exploits - Part 4

Overview

This course section covers the fourth and fifth steps of many hacker attacks: maintaining access and covering their tracks. Computer attackers install backdoors, apply rootkits, and sometimes even manipulate the underlying kernel itself to hide their nefarious deeds. Each of these categories of tools requires specialized defenses to protect the underlying system. In this course, we will analyze the most commonly used malicious code specimens and explore future trends in malware designed to obscure ab attacker's presence and disguise attribution.

Attackers also cover their tracks by hiding files, sniffers, network usage, and active processes. Additionally, they manipulate sophisticated network protocols to evade threat hunting systems and thwart investigations. Finally, attackers often alter system logs on UNIX and Windows systems, all in an attempt to make the compromised system appear normal. This course gives you the tools and techniques you need to detect and respond to these activities on your computers and network.

It is imperative that you get written permission from the proper authority in your organization before using these tools and techniques on your organization-s system. You also need to advise your network and computer operations teams of your testing schedule.

Exercises

Hands-on Exercises with the Following Tools:

RootKits and detection

Detecting backdoors with Netstat, lsof

Manipulating Windows Event Logs for attack hiding

Hidden file detection with LADS

Analyzing memory dumps for attack identification

Covert channels using Covert_TCP

CPE/CMU Credits: 6

Topics

Maintaining Access

Backdoors: Using Poison Ivy, VNC, Ghost RAT, and other popular beasts

Trojan horse backdoors: A nasty combo

Rootkits: Substituting binary executables with nasty variations

Kernel-level Rootkits: Attacking the heart of the Operating System (Rooty, Avatar, and Alureon)

Covering the Tracks

File and directory camouflage and hiding

Log file editing on Windows and Unix

Accounting entry editing: UTMP, WTMP, shell histories, etc.

Covert channels over HTTP, ICMP, TCP, and other protocols

Sniffing backdoors and how they can really mess up your investigations unless you are aware of them

Steganography: Hiding data in images, music, binaries, or any other file type

Memory analysis of an attack

Putting It All Together

Specific scenarios showing how attackers use a variety of tools together

Analyzing scenarios based on real-world attacks

Learning from the mistakes of other organizations

Where to go for the latest attack info and trends

SEC504.6: Hacker Tools Workshop

Overview

Over the years, the security industry has become smarter and more effective in stopping hackers. Unfortunately, hacker tools are becoming smarter and more complex. One of the most effective methods to stop the enemy is to actually test the environment with the same tools and tactics an attacker might use against you.

This workshop lets you put what you have learned over the past week into practice. You will be connected to one of the most hostile networks on earth. This network simulates the Internet and allows students to try actual attacks against live machines and learn how to protect against these attacks. The workshop will supplement the classroom training that students have already received and give them flight time with the attack tools to better understand how they work. The instructor will provide guidance on exactly what is happening as exploits and defensive measures are running. As students work on various exploits and master them, the environment will become increasingly difficult, so students will have to master additional skills in order to successfully complete the exercises.

Additionally, students can participate in the workshop's Capture-the-Flag event. By penetrating systems, discovering subtle flaws, and using puzzle-solving techniques, you can test the skills you have built over the week in this engaging contest. The Capture-the-Flag victors will win the coveted SEC504 challenge coin.

CPE/CMU Credits: 6

Topics

Hands-on Analysis

Nmap port scanner

Nessus vulnerability scanner

Network mapping

Netcat: File transfer, backdoors, and relays

Microsoft Windows network enumeration and attack

More Metasploit

Exploitation using built in OS commands

Privilege escalation

Advanced pivoting techniques

Additional Information

Laptop Required

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

This is common sense, but we will say it anyway. Back-up your system before class. Better yet, do not have any sensitive data stored on the system. SANS is not responsible for your system or data.

CPU

64-bit Intel i5/i7 2.0+ GHz processor

Your system's processor must be a 64-bit Intel i5 or i7 2.0 GHz processor or higher. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About". Your processor information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac".

BIOS

Enabled "Intel-VT"

Intel's VT (VT-x) hardware virtualization technology should be enabled in your system's BIOS or UEFI settings. You must be able to access your system's BIOS throughout the class. If your BIOS is password-protected, you must have the password. This is absolutely required.

USB

USB 3.0 Type-A port

At least one available USB 3.0 Type-A port is required for copying large data files from the USB 3.0 thumb drives we provide in class. Some newer laptops may have only the smaller Type-C ports. In this case, you will need to bring a USB Type-C to Type-A adapter.

RAM

8 GB RAM (4 GB min)

8 GB RAM (4 GB min) is highly recommended for the best experience. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About". Your RAM information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac".

Hard Drive Free Space

100 GB Free space

100 GB of FREE space on the hard drive is critical to host the VMs and additional files we distribute. SSD drives are also highly recommended, as they allow virtual machines to run much faster than mechanical hard drives.

Operating System

Windows 10 or macOS 10.12+

Your system must be running either Windows 10 or macOS 10.12 or higher.

Additional Hardware Requirements

The requirements below are in addition to baseline requirements provided above. Prior to the start of class, you must install virtualization software and meet additional hardware and software requirements as described below. If you do not carefully read and follow these instructions, you will leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course.

Network, Wired Connection

A wired network connection. One that you can plug a cable into it.

A wired connection is required in class. A wired network adapter is one that you plug a cable into. They are typically on the back or the side of your system. If your system supports only wireless, you can purchase a USB wired Ethernet adapter. This will allow you to plug the adapter into a USB port on your system and plug the network cable into the adapter.

Install VMware Player 12, VMware Fusion 8, or VMware Workstation 12 (higher versions are also OK). Older Versions will not work for this course. Choose the version compatible with your host OS. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site. VMware Workstation Player is a free download that does not need a commercial license but has fewer features than Workstation. THIS IS CRITICAL: Other virtualization products, such as Hyper-V and VirtualBox, are not supported and will not work with the course material.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Who Should Attend

Incident handlers

Leaders of incident handling teams

System administrators who are on the front lines defending their systems and responding to attacks

Other security personnel who are first responders when systems come under attack

General security practitioners and security architects who want to design, build, and operate their systems to prevent, detect, and respond to attacks

Justify Your Training

Use this sample training request letter, or elements of it, to justify the time and budget required to complete SANS training to your manager. Simply copy and paste text into an email to your manager, then make any necessary adjustments to personalize the information.

Author Statement

"When I was 18 I got caught hacking the school card catalog server. Instead of getting expelled, I became a school employee, spending the next 10 years working on improving security while getting better at using hacker tools, writing exploits, developing new techniques, and figuring out how to better respond to the onslaught of attacks. During that time, I came to understand the benefits of truly understanding attacker techniques to evaluate and improve on the defensive capabilities I managed.

In SEC504 we dig into the hacker tools, techniques, and exploits used by modern attackers from the perspective of an incident response analyst. We'll cover everything from reconnaissance to exploitation, and from scanning to data pillaging. The course lectures, hands-on lab exercises, and an immersive capstone event will arm you with the tools and techniques you need to make smart decisions about network security. Once you learn how hackers operate, you'll be better prepared to identify attacks and protect your network from sophisticated adversaries."